Malware prompts investigation, security precautions

University notifies all students, faculty and staff about malware investigation and potential data risk.

By Bryan Alary on
January 5, 2017

A malware incident that occurred on North Campus late last November was quickly contained. Everyone whose privacy was identified as potentially at risk was quickly advised of the incident and their passwords have been reset.

University of Alberta computer systems are safe and secure following a malware incident in November, says the head of information security on campus.

The information security incident involved the installation of malware on 304 university computers in 20 classrooms and labs in the Library Knowledge Commons, Computing Science Centre and in the Centennial Centre for Interdisciplinary Science. An investigation by the university’s Information Services and Technology (IST) unit, U of A Protective Services and the Edmonton Police Service identified 3,323 students and staff whose university (CCID) passwords were potentially affected.

“These were individuals who logged into at least one of the infected computers during the incident timeframe,” explained Gordie Mah, the university’s chief information security officer. “Everyone whose privacy was identified as potentially at risk was quickly advised of the incident and their passwords have been reset.”

At the request of EPS and out of respect for the ongoing criminal investigation, Mah said the university was unable to inform the wider campus community until today.

An IST classroom and labs computing analyst found malware on Nov. 22 that was physically installed on an initial 287 computers, after receiving reports from users about performance issues. IST’s incident response team then took immediate steps to contain the risk and performed a forensic analysis to determine the full scope of the incident.

“Malware is illicit computer software that attempt to do malicious actions through the affected computer,” said Mah. “The creator of this malware designed it specifically to harvest passwords, and in particular the university’s electronic credential, known as the campus computing ID, or CCID password.

“There has been no indication that any compromised passwords were used,” he added.

After containing the incident, the university emailed 3,304 individuals on Nov. 23 who had used the computers with advice about how to protect their privacy and to change their CCID passwords.

EPS began a criminal investigation and soon found malware on an additional 17 computers. Mah said this malware potentially affected another 19 users, who were also advised to change their CCIDs.

As an extra precaution, IST forced a password reset for all 3,323 CCID accounts on Dec. 19. That meant that as soon as an individual tried to log into their CCID, they were prompted to contact IST.

Mah explained this kind of forced reset is considered a best practice in information security because it requires users to prove their identity, either on the phone or in person.

Protecting against malware

Shortly after its discovery, IST refined existing anti-virus and security controls to protect against this type of malware, Mah said, and will continue monitoring to ensure university systems remain secure. Several high-profile cyber attacks in recent months such as breaches that affected 1.5 billion Yahoo accounts show that ongoing vigilance is a reality—both for organizations and individual users, he said.

“No large organization is immune to these types of attacks. That said, we see no indication at present to suggest there is any imminent current risk or threat to our systems or our information.”

Mah said there are steps the U of A community can take to protect personal information, starting with completing the annual privacy and security acknowledgement and one-time training. Individuals can protect themselves by not using passwords for multiple websites or accounts and not opening suspicious emails that could be phishing scams.

The university’s Information and Privacy Office has advised the Office of the Information and Privacy Commissioner of Alberta about this incident.

Edmonton police lay charges

EPS has charged one individual, Yibin Xu, 19, with mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offence.

An EPS news release identified Xu as a U of A student. Vice-provost and dean of students Andre Costopoulos said he could not provide further information about the individual due to privacy legislation.